![Page 1: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/1.jpg)
Norman M. Sadeh, Ph.D.
Smart Phone Security & Privacy:
What Should We Teach Our Users
…and How?
Professor, School of Computer ScienceDirector, Mobile Commerce Lab.Carnegie Mellon University
Co-Founder & Chief ScientistWombat Security Technologies
![Page 2: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/2.jpg)
Copyright © 2011-2012 Norman M. Sadeh
The Smart Phone Invasion
FISSEA 2012 - 2
![Page 3: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/3.jpg)
Copyright © 2011-2012 Norman M. Sadeh
BYOD: The New Frontier
48% of employees will buy their own devices – whether their organization approves that particular device or NOT! (Forrester Research)
Blur between work life & private life
FISSEA 2012 - 3
Unrealistic policies don’t work – even if they look good
“If you can’t fight them, join them”
…hopefully under your own terms…
![Page 4: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/4.jpg)
Copyright © 2011-2012 Norman M. Sadeh
The Problem is that…
BYOD implies users who are:
responsible
knowledgeable
accountable
FISSEA 2012 - 4
Is this truly possible?Do we really have a choice?
![Page 5: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/5.jpg)
Copyright © 2011-2012 Norman M. Sadeh
Training has a Big Role to Play
…But training has traditionally failed Security is a secondary task:
employees are not motivated to learn
Traditional delivery methods and content have not been very compelling
Required knowledge is vast & continues to grow
Practical strategies and tips are not always easy to articulate
FISSEA 2012 - 5
![Page 6: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/6.jpg)
Copyright © 2011-2012 Norman M. Sadeh
Mobile Security & Privacy Training
…at least as complex… Mediates a wide range of scenarios
Phone calls, SMS, camera, location, email, apps and much more
Lack of awareness: People do not think of their smart phone as a computer
Variety of devices
FISSEA 2012 - 6
….and obviously they are mobile devices…
![Page 7: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/7.jpg)
Copyright © 2011-2012 Norman M. Sadeh FISSEA 2012 - 7
P. Gage Kelley, S. Consolvo, L. Cranor, J. Jung, N. Sadeh, D. Wetherall, “A Conundrum of Permissions: Installing Applications on an Android Smartphone”, USEC2012.
Android Permissions: An Example of the Challenges We Face
![Page 8: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/8.jpg)
Copyright © 2011-2012 Norman M. Sadeh
What Are We Up Against?
Misconceptions: Most users did not realize that apps were not vetted
Unusable security: Most users do not understand Android permissions
Bad habits & cognitive biases: Most users rely on word of mouth and
star ratings
Users always proceed with the download of apps, even though they don’t understand the permissions
FISSEA 2012 - 8
Where Do We
Start?
![Page 9: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/9.jpg)
Copyright © 2011-2012 Norman M. Sadeh
Understanding the Risks: The Big Gap
FISSEA 2012 - 9
Most people do not realize how sensitive their phones are
© Wombat Security Technologies, 2011-2012© Wombat Security Technologies, 2011-2012
![Page 10: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/10.jpg)
Copyright © 2011-2012 Norman M. Sadeh
…and How Vulnerable They Are…
Challenge them to take quizzes
…or better: Motivate them via mock attacks
Nothing beats showing a user how vulnerable (s)he is
FISSEA 2012 - 10
![Page 11: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/11.jpg)
Copyright © 2011-2012 Norman M. Sadeh
Phishing as An Example
Email phishing: Much worse on mobile phones Mobile users are first to arrive at
phishing websites
Mobile users 3x more likely to submit credentials than desktop users
Source: Trusteer, Jan. 2011 – similar
![Page 12: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/12.jpg)
Copyright © 2011-2012 Norman M. Sadeh
Teach people in the context they would be attacked
If a person falls for simulated phish, then pop up an intervention
Unique “teachable moment”
Training via Mock Attacks: PhishGuru
![Page 13: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/13.jpg)
Copyright © 2011-2012 Norman M. Sadeh
Select
Target
Employees
Customize
Fake
Phishing
Select
Training
Internal
Test and
Approval
Process
Hit
Send
Monitor
& Analyze
Employee
Response
![Page 14: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/14.jpg)
Copyright © 2011-2012 Norman M. Sadeh
This really works!
Reduces the chance of falling for an attack by more than 70% !
Actual Results
percentage0 10 20 30 40
Campaign 3
Campaign 2
Campaign 1
Viewed Email and Clicked Link
![Page 15: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/15.jpg)
Copyright © 2011-2012 Norman M. Sadeh
Starting with the Most Common Threats
FISSEA 2012 - 15
Source for image: http://www.malaysianwireless.com/2011/09/advice-how-to-protect-your-smartphone/
Millions of cell phones lost or stolen each year
Majority of smart phone users still do not have PINs
![Page 16: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/16.jpg)
Copyright © 2011-2012 Norman M. Sadeh
Learning by Doing is Critical
Teach people to better appreciate the risks
Create mock situations
Force them to make decisions
Provide them with feedbackFISSEA 2012 - 16
© Wombat Security Technologies, 2011-2012
![Page 17: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/17.jpg)
Copyright © 2011-2012 Norman M. Sadeh
Gradually Move Towards More Complex Tasks
Mobile Apps
Location
Social Networking
FISSEA 2012 - 17
![Page 18: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/18.jpg)
Copyright © 2011-2012 Norman M. Sadeh
Mobile Apps
Challenge: difficult to come up with full-proof rules
Train people to be suspicious & look for possible red flags
Emphasis on: Learning by doing
Feedback
Opportunities for reflection
FISSEA 2012 - 18
![Page 19: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/19.jpg)
Copyright © 2011-2012 Norman M. Sadeh
From Simple to Increasingly Realistic
FISSEA 2012 - 19
© Wombat Security Technologies, 2011-2012
![Page 20: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/20.jpg)
Copyright © 2011-2012 Norman M. Sadeh
Concluding Remarks
BYOD trends make training critical
Users have little awareness of the risks associated with smart phones
Effective training requires adoption of learning science principles
Creating realistic scenarios – including mock attacks
Interactive training - Learning by doing
Start with most common risks
Training has to be part of an employee’s daily life – repetition & variations are critical
FISSEA 2012 - 20
![Page 21: Norman M. Sadeh, Ph.D. Smart Phone Security & Privacy: What Should We Teach Our Users …and How? Professor, School of Computer Science Director, Mobile](https://reader038.vdocuments.us/reader038/viewer/2022110304/5519d5785503468b0c8b4966/html5/thumbnails/21.jpg)
Copyright © 2011-2012 Norman M. Sadeh
http://wombatsecurity.com
http://mcom.cs.cmu.edu
Q&A